Chrome 144 Security Update Patches High-Severity CVE-2026-1504 in Background Fetch API
Google releases security update for Windows, macOS, and Linux addressing inappropriate implementation in Background Fetch API.
Google has released Chrome 144 for Windows, macOS, and Linux, addressing a high-severity vulnerability in the Background Fetch API tracked as CVE-2026-1504.
Vulnerability Details
The security update fixes an "inappropriate implementation" in the Background Fetch API that could potentially allow cross-origin data leakage in certain scenarios. Google awarded a bug bounty to researcher Luan Herrera for the report.
Affected Versions
The stable channel was updated to Chrome 144.0.7559.109/.110 for Windows and Mac and 144.0.7559.109 for Linux. Users are advised to update and restart their browsers to fully apply the fix.
Background Fetch API
The Background Fetch API enables web applications to defer background tasks such as downloads and data syncing. The security issue demonstrates how browser features that help sites feel like native apps can sometimes create edge cases that attackers might exploit.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.